The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.

Configure your Trust Center to disable macros

Set your Trust Center in Microsoft Office programs to 'Disable all except digitally signed macros' to control potential macro installations on machines in your network. Know that some malware would try to get into your system through macros, which usually comes in through the email infection vector.

See the Office support page to Enable or disable macros in Office files for details. Administratively disabling macros can help prevent malware-ridden macros from downloading ransomware or other threats onto your machine or your network.

For more details about macros, ransomware, advanced persistent threats, and how you can protect your enterprise from them, see the following report and video:

Threat behavior

Installation

This ransomware can be installed when you open an attachment, usually as a Word file (.doc), from a spam email. Aside from Office documents, this threat can also use other downloaders such as .JS and .BAT files as attachments in spam emails. The file contains a macro which downloads the ransomware and runs it in your PC.

In subkey: HKEY_CURRENT_USER\Software\LockySets value: "paytext"With data: hex:ef,bb,bf,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,20,49,4d,50,4f,52,54,41,4e,54,20,49,4e,46,4f,52,4d,41,54,49,4f,4e,20,21,21,21,21,0d,0a,0d,0a,41,6c,6c,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,61,72,65,20,65,6e,63,72,79,70,74,65,64,20,77,69,74,68,20,52,53,41,2d,32,30,34,38,20,61,6e,64,20,41,45,53,2d,31,32,38,20,63,69,70,68,65,72,73,2e,0d,0a,4d,6f,72,65,20,69,6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,74,68,65,20,52,53,41,20,61,6e,64,20,41,45,53,20,63,61,6e,20,62,65,20,66,6f,75,6e,64,20,68,65,72,65,3a,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,52,53,41,5f,28,63,72,79,70,74,6f,73,79,73,74,65,6d,29,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,41,64,76,61,6e,63,65,64,5f,45,6e,63,72,79,70,74,69,6f,6e,5f,53,74,61,6e,64,61,72,64,0d,0a,20,20,20,20,0d,0a,44,65,63,72,79,70,74,69,6e,67,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,69,73,20,6f,6e,6c,79,20,70,6f,73,73,69,62,6c, --> This is the content of the _Locky_recover_instructions.txt

In subkey: HKEY_CURRENT_USER\Software\LockySets value: "completed"With data: "dword:00000001" --> If the ransomware has finished encrypting the machine

Payload

This ransomware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

Before it encrypts files, it connects to its C2 server to relay encrypted information about the machine using a hardcoded IP address in the binary.

If that is not accessible, it will use its Domain Generation Algorithm (DGA) to connect to other available servers.

Once it has received a reply from its remote server, it will start encrypting files in the system and receive the ransom note with the user's personal Tor payment website.

It encrypts files with the following extensions:​

0.001

.dip

.ms11 (Security copy)

.SQLITE3

0.002

.djv

.MYD

.SQLITEDB

0.003

.djvu

.MYI

.stc

0.004

.DOC

.n64

.std

0.005

.docb

.NEF

.sti

0.006

.docm

.odb

.stw

0.007

.docx

.odg

.svg

0.008

.DOT

.odp

.swf

0.009

.dotm

.ods

.sxc

0.01

.dotx

.odt

.sxd

0.011

.fla

.onetoc2

.sxi

0.123

.flv

.otg

.sxm

0.602

.forge

.otp

.sxw

.3dm

.frm

.ots

.tar

.3ds

.gif

.ott

.tar

.3g2

.gpg

.p12

.tbk

.3gp

.gz

.PAQ

.tgz

.7z

.hwp

.pas

.tif

.aes

.ibd

.pdf

.tiff

.apk

.iwi

.pem

.txt

.ARC

.jar

.php

.uop

.asc

.java

.pl

.uot

.asf

.jpeg

.png

.upk

.asm

.jpg

.pot

.vb

.asp

.js

.potm

.vbs

.asset

.key

.potx

.vdi

.avi

.lay

.ppam

.vmdk

.bak

.lay6

.pps

.vmx

.bat

.lbf

.ppsm

.vob

.bik

.ldf

.ppsx

.wallet

.bmp

.litemod

.PPT

.wav

.brd

.litesql

.pptm

.wb2

.bsa

.ltx

.pptx

.wk1

.bz2

.m3u

.psd

.wks

.cgm

.m4a

.pst

.wma

.class

.m4u

.qcow2

.wmv

.cmd

.max

.rar

.xlc

.cpp

.mdb

.raw

.xlm

.crt

.mdf

.rb

.XLS

.cs

.mid

.re4

.xlsb

.csr

.mkv

.RTF

.xlsm

.CSV

.mml

.sav

.xlsx

.d3dbsp

.mov

.sch

.xlt

.das

.mp3

.sh

.xltm

.db

.mp4

.sldm

.xltx

.dbf

.mpeg

.sldx

.xlw

.dch

.mpg

.slk

.xml

.dif

.ms11

.sql

.zip

It drops ransom notes into folders where it has encrypted user files. We have seen the following ransom note filenames:

The ransom notes contain a link to webpage that has a personalized Bitcoin address and instructions on how to pay the ransom:

The ransomware skips files with the following path name and file name in one of its strings:

$Recycle.Bin

Appdata

Application data

Boot

Program Files

Program files (x86)

System Volume Information

temp

thumbs.db

tmp

Windows

winnt

It renames encrypted files using one of the following formats:

[ID][hexadecimal identifier].locky (encrypted files)

[ID][hexadecimal identifier].zepto (encrypted files)

[ID][hexadecimal identifier].odin (encrypted files)

[ID][hexadecimal identifier].shit (encrypted files)

[ID][hexadecimal identifier].thor (encrypted files)

[ID][hexadecimal identifier].aeris (encrypted files)

[ID][hexadecimal identifier].osiris (encrypted files)

Examples:

8C05983C8B06FC65A0A9F44EDE9CA812.locky

8C05983C8B06FC65A1E1405B2324F5A5.locky

6DB14EFB-D86D-38B5-93A5-8E1FDE9A780A.odin

6DB14EFB-D86D-38B5-A881-336FB6E886BD.odin

GX9A8TUK-DJE4-J06B-DEFB-E84D41EAE797.shit

It also deletes all volume shadow copies, changes the desktop wallpaper, opens the _Locky_recover_instructions.txt and displays the same ransom image to tell you that you can recover the files using a personal link that directs you to a TOR webpage asking for payment (inaccessible at the time of writing).

We have seen it contact the following URLs (which are currently unavailable):

hxxp://vjwmpxseu.fr/main.php

hxxp://jywdohhfkypg.de/main.php

hxxp://blydeylrayu.it/main.php

hxxp://obvpxgcohmpsou.it/main.php

hxxp://cqvgwp.uk/main.php

hxxp://tdxgp.eu/main.php

hxxp://109.234.38.35/main.php

hxxp://213.32.66.16:10080/information.cgi

hxxp://95.213.186.93:10080/information.cgi

We have also seen it use apache_handler.php in the connection URI, for example:

In subkey: HKEY_CURRENT_USER\Software\LockySets value: "paytext"With data: hex:ef,bb,bf,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,20,49,4d,50,4f,52,54,41,4e,54,20,49,4e,46,4f,52,4d,41,54,49,4f,4e,20,21,21,21,21,0d,0a,0d,0a,41,6c,6c,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,61,72,65,20,65,6e,63,72,79,70,74,65,64,20,77,69,74,68,20,52,53,41,2d,32,30,34,38,20,61,6e,64,20,41,45,53,2d,31,32,38,20,63,69,70,68,65,72,73,2e,0d,0a,4d,6f,72,65,20,69,6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,74,68,65,20,52,53,41,20,61,6e,64,20,41,45,53,20,63,61,6e,20,62,65,20,66,6f,75,6e,64,20,68,65,72,65,3a,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,52,53,41,5f,28,63,72,79,70,74,6f,73,79,73,74,65,6d,29,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,41,64,76,61,6e,63,65,64,5f,45,6e,63,72,79,70,74,69,6f,6e,5f,53,74,61,6e,64,61,72,64,0d,0a,20,20,20,20,0d,0a,44,65,63,72,79,70,74,69,6e,67,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,69,73,20,6f,6e,6c,79,20,70,6f,73,73,69,62,6c, --> This is the content of the _Locky_recover_instructions.txt

In subkey: HKEY_CURRENT_USER\Software\LockySets value: "completed"With data: "dword:00000001" --> If the ransomware has finished encrypting the machine